EldoS | Feel safer!

Software components for data protection, secure storage and transfer

How to do a GET witj SSL client auth through TElPKCS11CertStorage (ref_cl_httpsclient.xml)

Also by EldoS: Solid File System
A virtual file system that offers a feature-rich storage for application documents and data with built-in compression and encryption.
#35147
Posted: 12/01/2015 11:39:10
by Pablo Sola (Premium support level)
Joined: 12/01/2015
Posts: 7

Hello,

I didn´t find anything.

I would like to do a GET request over a url that need ssl client certificate authentication.

My client certificate is stored in an hsm.

I know the solution should be using TElPKCS11CertStorage in HTTPSClient.ClientCertStorage, but I don´t know how to do it exactly, how to indicate the slot where the privatekey is stored and I want to use

Any help would be very appreciated

thanks
#35148
Posted: 12/01/2015 15:29:25
by Vsevolod Ievgiienko (EldoS Corp.)

Thank you for contacting us.

Please take a look at the sample located in
\EldoS\SecureBlackbox.<edition>\Samples\<language>\PKIBlackbox\PKCS11\CertStorage folder. It shows how to work with PKCS#11 storages.

Also I’ve noticed there is no Support Access Ticket linked to your user account on EldoS site. Technical Support is provided to customers with the linked Support Access Ticket. You will find your Support Access Ticket together with all the details about how to use it in the registration e-mail that we’ve sent to you upon the purchase.

If you are evaluating the product and don't have a license yet, please let us know and then you can have support according to Basic support level. Basic support level includes answering basic technical questions that appear during product evaluation period. We also offer Premium support for a purchase from https://www.eldos.com/support/calc.php . You can use Premium Support to get higher level of assistance during your evaluation of our products.
#35149
Posted: 12/02/2015 02:41:33
by Pablo Sola (Premium support level)
Joined: 12/01/2015
Posts: 7

Hi,

yes I´m evaluating the product.

Sorry, but in my samples folder I can´t find that folder. I downloaded the .NET version product. Inside PKIBlackbox folder, there is only Desktop and CompactFramework, and in any of them there isn´t PKCS11 folder

Thanks
#35151
Posted: 12/02/2015 04:34:33
by Vsevolod Ievgiienko (EldoS Corp.)

In .NET version the sample is located in \EldoS\SecureBlackbox.NET\Samples\C#\PKIBlackbox\Desktop\CertTokenDemo folder.
#35153
Posted: 12/02/2015 06:38:37
by Pablo Sola (Premium support level)
Joined: 12/01/2015
Posts: 7

Ok,

I found it, thanks.

Now, I can manage pkcs11 certificates with the sample.

But I still don´t know how to programatically do GET request over https with ssl client authentication.

Here is my code
Code

Private Function PrepareHsm() As SBX509.TElX509Certificate
        Try
            pkcs11Cs.DLLName = "C:\Program Files\SafeNet\Protect Toolkit C SDK\bin\sw\cryptoki.dll"
            pkcs11Cs.Open()




            Dim sInfo As TElPKCS11SessionInfo = pkcs11Cs.OpenSession(1, False)
            sInfo.Login(0, "0000")


            
            edtCertInfo.Text = "Numero de certificados: " & pkcs11Cs.Count

            For i As Integer = 0 To pkcs11Cs.Count - 1
                edtCertInfo.Text &= vbNewLine & "Certificado: " & pkcs11Cs.Certificates(i).SubjectName.CommonName

            Next

          
            
        Catch ex As Exception
            MsgBox(ex.ToString)
        
        End Try


Code

PrepareHsm()
            HTTPSClient.ClientCertStorage = pkcs11Cs
            MsgBox("CN: " & HTTPSClient.ClientCertStorage.Certificates(0).SubjectName.CommonName)
            MsgBox("PK: " & HTTPSClient.ClientCertStorage.Certificates(0).PrivateKeyExists)

           HTTPSClient.Get("https://sedecr.dgt.gob.es/WEB_NTRA_CONSULTA/listadoNotificacionesIdiomaPostback.faces?idioma=es")


But the GET response is the same when in Chrome the user doesn´t select client certificate auth


Thanks
#35154
Posted: 12/02/2015 08:35:04
by Vsevolod Ievgiienko (EldoS Corp.)

Your code is correct and should work if the server requests client authentication. You can check this using TElHTTPSClient.OnCertificateNeededEx event - if its fired when client certificate is requested and can be used as an alternative to ClientCertStorage property: https://www.eldos.com/documentation/sb...eeded.html
#35155
Posted: 12/02/2015 09:23:44
by Pablo Sola (Premium support level)
Joined: 12/01/2015
Posts: 7

Ok,

the event is fired, I set de Byref Certificate with this value

pkcs11Cs.Certificates(0)

But, doesn´t work. The app get into a loop on that event. requesting again and again the certificate.

This method

HTTPSClient.ClientCertStorage.Certificates(0).PrivateKeyExists

returns False, maybe it´s the problem, because to do a client authentication a signature with de PK is mandatory, right?

Thanks
#35157
Posted: 12/02/2015 15:38:17
by Vsevolod Ievgiienko (EldoS Corp.)

Quote
But, doesn´t work. The app get into a loop on that event. requesting again and again the certificate.

Please check event description posted above - you should return null after certificate is passed.

Quote
HTTPSClient.ClientCertStorage.Certificates(0).PrivateKeyExists

PrivateKeyExists should be 'true' as private key is needed for authentication - this is the reason of the problem.
#35160
Posted: 12/03/2015 04:17:04
by Pablo Sola (Premium support level)
Joined: 12/01/2015
Posts: 7

Quote
Vsevolod Ievgiienko wrote:
Please check event description posted above - you should return null after certificate is passed.


Ok, I get it. sorry

Quote

PrivateKeyExists should be 'true' as private key is needed for authentication - this is the reason of the problem.


I don´t understand why it´s False. I used cryptoToken demo to insert the .pfx into the Hsm, through this code
Code
Private Sub AddCertificate()
        Dim Cert As TElX509Certificate
        Dim F As FileStream
        Dim R As Integer
        Dim Pass As String
        If OpenDialogCert.ShowDialog = Windows.Forms.DialogResult.OK Then
            F = New FileStream(OpenDialogCert.FileName, FileMode.Open, FileAccess.Read)
            Try
                If RequestPassword("Password request", "Please enter password for certificate:", Pass) Then
                    Cert = New TElX509Certificate
                    Try
                        R = Cert.LoadFromStreamPFX(F, Pass, 0)
                    Catch
                        Cert.Dispose()
                        Throw
                    End Try
                    If R = 0 Then
                        Try
                            Storage.Add(Cert, True)
                        Finally
                            Cert.Dispose()
                        End Try
                        RefreshCertificates()
                    Else
                        MessageBox.Show("Failed to load certificate, error " + R.ToString("X4"), "", MessageBoxButtons.OK, MessageBoxIcon.Error)
                    End If
                End If
            Finally
                F.Close()
            End Try
        End If
    End Sub


Thanks
#35161
Posted: 12/03/2015 04:40:30
by Ken Ivanov (EldoS Corp.)

Hi Pablo,

Have you logged into the session when accessing your certificate (with Login() method)? Most hardware devices require you to log in before giving access to the private keys.

Ken
Also by EldoS: MsgConnect
Cross-platform protocol-independent communication framework for building peer-to-peer and client-server applications and middleware components.

Reply

Statistics

Topic viewed 3814 times

Number of guests: 4, registered members: 0, in total hidden: 0




|

Back to top

As of July 15, 2016 EldoS Corporation will operate as a division of /n software inc. For more information, please read the announcement.

Got it!